How long is your rack?

On Aug 15, 2011, at 10:12 21AM, Randy Bush wrote:
>> I've always wondered if the next cisco/juniper 0 day will be delivered
>> via a set of exploits delivered via a link posted to NANOG. :) Maybe
>> I'll do a talk at DEFCON next year about that.
>> more likely a 'shortened' url. how anyone can click those is beyond me.
>I'm curious what your objection is.
Mine is privacy -- the owner of the shortening site gets to see every place
you visit using one of those. I don't think there's a significant incremental
security risk, because the URL you click on doesn't tell you what you'll
receive in any event. Case in point: https://www.cs.columbia.edu/~smb/SMBlog-in-PDF.pdf
does *not* yield a PDF. (As far as I know, it's a completely safe URL to
click on, but I can't guarantee that someone else didn't hack my site. I, at
least, haven't put any nasties there.)
Yes, when you avoid shortened URLs you get some assurance of the owner of
the content. Given the rate of hacking -- is anyone really safe from a
determined amateur attack, let alone state-sponsored nastiness? -- and
given the amount of third-party content served up by virtually all ad-containing
site, you really have no idea what you're going to receive when you click
on any link.
--Steve Bellovin, http://www.cs.columbia.edu/~smb